search

tobychui / zoraxy

A general purpose HTTP reverse proxy and forwarding tool. Now written in Go!
https://zoraxy.aroz.org
GNU Affero General Public License v3.0
3.05k stars 184 forks source link

[BUG] Security Issue // Vulnerability Scan indicates the reverse Proxy is insecure // CVSS 7.5 #372

Closed overcuriousity closed 2 weeks ago

overcuriousity commented 2 weeks ago

Findings from Security Scan

Results from a simple Greenbone Security Scan run on a WAN Address I control:

[CVE-2016-2183] [CVE-2016-6329] [CVE-2020-12872]

SSL/TLS: Report Vulnerable Cipher Suites for HTTPS

Summary This routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services.

Detection Result 'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32) TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

To Reproduce Steps to reproduce the behavior:

  1. Run simple Greenbone Vulnerability Assessment on WAN Address
  2. Receive described result

Expected behavior Have no vulnerabilities

Edit: It reports that the TLS.1.2 Protocol is affected by these vulnerabilities. According to RFC 8446, the affected algorithms would be discarded by enforcing TLSv1.3: https://www.rfc-editor.org/rfc/rfc8446#section-1.2

tobychui commented 2 weeks ago

@overcuriousity These are TLSv1.2 protocol bug and not a Zoraxy bug. Zoraxy use standard Golang library for the implementation. Please report these security finding to the Go issue page instead.